VoIP use on campus advances cautiously; economy rivaling security for biggest worry

June 4, 2008 A recent survey of ACUTA member colleges and universities indicates that while security issues for Voice over Internet Protocol remain, budgetary concerns are threatening to halt further deployment and hinder sufficient staffing. And while some leaders are hopeful that VoIP users are becoming more confident in security solutions, some security industry experts aren't so sure.

June 4, 2008 A recent ACUTA survey of its member colleges and universities indicates that deployment of Voice over Internet Protocol (VoIP) on college campuses is growing, albeit slowly, due primarily to an uncertain economy affecting state operating budgets.

Funding for staffing, said 52% of participants in the April survey conducted among member schools attending an Association for Communications Technology Professionals in Higher Education (ACUTA) seminar in St. Louis, is of greater concern than security issues when considering new or additional VoIP deployment.

A year ago in a similar survey, security was cited by 77% of respondents as "the biggest worry," but in the April survey, ACUTA reports that "just a fraction...expressed any concern about VoIP security." It's not that security issues are being brushed aside, suggests ACUTA leadership; rather, the weak economy's impact on state budgets is making current and future plans for VoIP uncertain at best.

"As an example, the State of Washington is forecasting a billion dollar deficit for the next biennium," notes Dave Ostrom, director of communications and network services at Washington State University, and chairman of ACUTA's legislative and regulatory affairs committee. "Why worry about security when you may be struggling to continue to offer the service?"

ACUTA Executive Director Jeri Semer adds that it's "difficult and risky" to make assumptions as to why survey respondents answered the way they did, without further probing. But a possible contributing factor, Semer suggests, is that with more time and experience with VoIP implementation, some members' concerns about potential security risks have been resolved.

Ostrom concurs, noting the emergence of "more mature" security products, such as Cisco's Unified Communications Manager that released as version 6.1 in January and is expected to contain further upgrades and features when version 7.0 is released as hoped later this year.

"The interest in VoIP on campuses today is as strong or stronger than it was two years ago, and the technology continues to progress in terms of the number of schools using it," says Semer. "But just as in 2006, this latest survey shows that our member institutions continue to be cautious and methodical about their migration."

The survey showed that two out of three ACUTA member schools are currently using VoIP, but that 82% of respondents said their VoIP network covers 25% or less of their campus--nearly identical to a year ago. While users cite the technology's overall efficiency, improved management, more end-user features, and better use of staff, 38% said quality-of-service and emergency 911 issues, plus difficulty in implementation are challenges that have led to slow campus-wide growth.

Among schools not using VoIP, 36% of those participating in the ACUTA survey say they plan to implement the technology within the next 18 months, but another 55% say it is part of long-term plans due to factors ranging from budget issues to satisfaction with current networks.

"The low penetration rates on campuses, coupled with the solid plans for growth in VoIP use, suggest that our member information communications technology professionals are simply not going to expand their VoIP network coverage until they are comfortable that it is beneficial for their networks, and for their schools overall," says Semer.

While the survey's apparent decreased concern over security issues may instead be more reflective of members' worries over staffing issues, industry professionals continue to caution that several vulnerabilities in campus-wide VoIP deployment must be guarded carefully.

Late last fall at Black Hat 2007, part of a series of highly technical security conferences, Himanshu Dwivedi of digital security company iSEC PARTNERS, warned attendees, "Four to five years ago, we started hearing about the security problems of VoIP, and it's really no better today. The security vendors are not on top of the problem, and users are relying on protocols they think are safe, when in fact they are not."

Of particular concern, says Krishna Kurapati, founder of Sipera VIPER Lab--a Texas-based organization of security researchers--is having proper security for the increasingly common use of SIP (session initiated protocol) trunks. These money-saving trunk deployments can save organizations money by "peering" the VoIP network with the carrier network. Rather than using the PSTN, the same connection is used for all communications.

"The openness and extensibility of SIP make it an attractive choice ...to realize the promise of unified communications," says Kurapati. "Unfortunately, those very attributes make it attractive to the hacking community and increase the overall security risk."

For the past two years, Sipera Labs has released its "Top 5 VoIP Predictions," and SIP trunk security is at the top of the 2008 list. Other risks, says Sipera, include: third-party data services exploited for eavesdropping; hacking of Microsoft OCS unified communications connections to instant messaging, e-mail, and buddy lists; increased hacker "vishing" attempts, particularly bank accounts; and attacks on UMA [unlicensed mobile access] features that allow subscribers to have direct access to mobile core networks over IP, yet also make it easier for hackers to spoof identities and use illegal accounts.

Kurapati urges VoIP deployers, "To fully realize the potential of a unified communications (UC), organizations need to implement up-to-date security best practices, and proactive UC security and system monitoring."

More in Home